CryptoLocker Ransomware

This page contains description and removal procedures for CryptoLocker virus. Follow the guide carefully to delete the virus and regain access to your files. You can use “Previous Vesions” feature of Windows to recover files from the PC.

CryptoLocker is a virus or ransomware program that will encrypt files on the infected computer. This malware arrives on the computer through another infection. Trojan or other form of malware may explorer target computer for known weaknesses. This will be use as the channel to drop CryptoLocker on the system. Upon execution, the virus will inject code into the system folder as well as in the registry. This action allows CryptoLocker to run on each Windows bootup.

When running on the computer, CryptoLocker always remind computer user that files were locked. It demands payment for the encryption key costing 100 US or Euro, depending on the location of the victim. CryptoLocker also tries to scare computer users stating that any attempt to remove the virus will lead to immediate destruction of the private key. Thus, file will remain encrypted forever.

In the message, CryptoLocker states the following:

“Your personal files are encrypted! Your important files encryption produced on this computer: photos, videos, document, etc. Here is a complete list of encrypted files, and you can personally verify this… To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD / 100EUR / similar amount in another currency.”

Here is the scary part:

“Any attempt to remove or damage this software will lead to immediate destruction of the private key server.”

Paying for the ransomware like CryptoLocker is likely supporting the online fraud activity. We highly encourage computer users not to pay the private key. You may duplicate the encrypted file on a separate hard drive and run legitimate decryption tools to find the one the works best with CryptoLocker.

Screeshot Image:

Updates:

September 15, 2013: Ransom goes up from $100 to $300

New version of CryptoLocker demands a ransom of $300. It actually triples the price of the previous version. Attackers behind this malware are now maximizing the full advantage of its ransomware potential. They know that users now have full view that there is no way out other than pay for the demand. Even MS Security Center, who identified this threat as Trojan:Win32/Crilock.A states that complex method are being used in the encryption process.

Nov 09, 2013: Re-infecting and recovering files
Attackers behind this CryptoLocker malware now devices a method to still allow users to request for private key even if the virus has been deleted from the computer and required registry keys are erased by antivirus program. CryptoLocker Decryption Service was launched on November 1, as number or computer users decided to re-infect their computer with the virus to avail of the $300 private key.

With the CryptoLocker Decryption Service, you will have to submit one infected file in order for the server to search for the matching key pair. Once found, you can now order and pay for the key that is required in recovering encrypted files. Be aware that this service can cost you 10 Bitcoins, that is roughly $2,120 at the current rate.

Ways to recover files encrypted by CryptoLocker.

Below, we have procedures in removing CryptoLocker from the computer. Since public and private key combination is needed to decrypt files, it is impossible to recover affected files at this point. We hope to find a workaround with this trouble in the following days. For the meantime, we will maximize whatever we have on hand.

If your PC is running on Windows Vista and Windows 7, there is a feature called ‘Previous Versions’. Although this function only works if restore point was saved prior to CryptoLocker infection or if System Protection is enabled on the computer. Use Previous Versions to recover files without having to pay for the private key.

How to Remove 'CryptoLocker'

Systematic procedures to get rid of the threat are presented on this section. Make sure to scan the computer with suggested tools and scanners.

Option 1 : Please use this recommended tool to remove the virus.

First thing you should do is reboot the computer in Safe Mode with Networking to avoid CryptoLocker Ransomware from loading at start-up.

NOTE: You will need to PRINT or BOOKMARK this procedure, as we have to restart the computer during the removal process.

To start Windows in Safe Mode with Networking, please do the following:

2. Once the computer boots into Safe Mode with Networking, download the Removal Tool and save it on your Desktop or any location on your PC.

3. When finished downloading, locate and double-click on the file to install the application. Windows' User Account Control will prompt at this point, please click Yes to continue installing the program.
4. Follow the prompts and install with default configuration.
5. Before the installation completes, check prompts that software will run and update on itself.
6. Click Finish. Program will run automatically and you will be prompted to update the program before doing a scan. Please download needed update.
7. When finished updating, the tool will run. Select Perform full scan on main screen to check your computer thoroughly.
8. Scanning may take a while. When done, click on Show Results.
9. Make sure that all detected threats are checked, click on Remove Selected. This will delete all files and registry entries that belongs to CryptoLocker.
10. Finally, restart your computer.

Note: If CryptoLocker prevents mbam-setup.exe from downloading. Download the software from another computer. Renaming it to something like 'anything.exe' can help elude the malware. You may skip Option 2 and proceed to Additional Scans below if you see that the steps above have totally removed the malware.

Option 2 : Remove CryptoLocker instantly with this Rescue Disk

This procedure requires a tool from Kasperky. Thus, it requires Internet access to download the files. If the virus blocks your Internet access, you have no other choice but to execute this guide from another computer.

Download Kaspersky Rescue Disk

Create A Bootable USB Drive

3. Insert a clean USB flash drive to available slot. To record the ISO file and create a bootable USB drive, double-click on rescue2usb.exe. It will extract the files and create a folder called Kaspersky Rescue2Usb.
4. Kaspersky USB Rescue Disk Maker should run after the extraction. If not browse the Kaspersky Rescue2Usb folder and run the rescue2usb file.
5. From Kaspersky USB Rescue Disk Maker console, click on Browse and locate the file kav_rescue_10.iso.

6. On USB Medium, select the USB drive you wanted to make as bootable Kaspersky USB Rescue Disk. This will become a bootable virus scanner.
7. Click in Start to begin the process.
8. When the process is complete, it will display a notification message. Your tool to remove CryptoLocker is now ready.

Boot The Computer From The USB Kaspersky Rescue Disk 10

9. Since CryptoLocker uses a rootkit Trojan that controls Windows boot functions, we need to reboot the computer and select the newly created Kaspersky USB Rescue Disk as first boot option. On most computers, it will allow you to enter the boot menu and select which device or drives you wanted to start the PC. Refer to your computer manual.
10. If you successfully enters the boot menu, choose the USB flash drive. This will boot the system on Kaspersky Rescue Disk. Press any key to enter the menu.

11. If it prompts for desired language, use arrow keys to select and then press Enter on your keyboard.
12. It will display End User License Agreement. You need to accept this term to be able to use Kaspersky Rescue Disk 10. Press 1 to accept.
13. The tool will prompt for various start-up methods. We highly encourage you to choose Kaspersky Rescue Disk Graphic Mode.

Remove CryptoLocker Using Windows Unlocker

14. Once the tool is running, you need to run WindowsUnlocker in order to delete registry that belongs to CryptoLocker. On start menu located at bottom left corner of your screen, select the K icon or select WindowsUnlocker if it is present on the Menu.
15. Select Terminal from the list. A command prompt will open.

16. Type windowsunlocker and press Enter on your keyboard.

17. From the selection, choose 1 - Unlock Windows to remove CryptoLocker. Use up/down arrow on keyboard to select and press Enter.

18. This utility will start removing any components that blocking you from accessing the computer. It will display a log file containing actions performed on the infected computer like deleted infected file and removed registry entries.
19. After removing components of CryptoLocker. You need to scan the system using the same tool. On start menu, select Kaspersky Rescue Disk.

20. Be sure to update the program by going to My Update Center tab. Click on Start update.
21. After the update, go to Object Scan tab and thoroughly scan the computer to locate other files that belong to CryptoLocker.
22. Restart the computer normally when done.

Additional anti-virus and anti-rootkit scans (Optional)

Ensure that no more files of CryptoLocker are left inside the computer

1. Click on the button below to download Norton Power Eraser from official web site. Save it to your desktop or any location of your choice.

4. Once the file is downloaded, navigate its location and double-click on the icon (NPE.exe) to launch the program.5. Norton Power Eraser will run. If it prompts for End User License Agreement, please click on Accept.6. On NPE main window, click on Advanced. We will attempt to remove CryptoLocker components without restarting the computer.

9. On next window, select System Scan and click on Scan now to perform standard scan on your computer.

10. NPE will proceed with the scan. It will search for Trojans, viruses, and malware like CryptoLocker. This may take some time, depending on the number of files currently stored on the computer.

11. When scan is complete. All detected risks are listed. Remove them and restart Windows if necessary.

Remove the Rootkit Trojan that installs CryptoLocker

For automatic removal of rootkit Trojan using a free tool, you can refer to this guide. Download the tool and carefully follow the instruction.

1. Click on the button below to download the file FixZeroAccess.exe from official web site. A new window or tab will open containing the download link.

2. Close all running programs and remove any disc drives and USB devices on the computer.
3. Temporarily Disable System Restore if you are running on Windows XP). [how to]
4. Browse for the location of the file FixZeroAccess.exe.
5. Double-click on the file to run it. If User Account Control prompts for a security warning and ask if you want to run the file, please choose Run.
6. It will open a Zero Access Fix Tool End User License Agreement (EULA). You must accept this license agreement in order to proceed with rootkit removal. Please click I Accept.

7. It will display a message and prepares the computer to restart. Please click on Proceed.

8. When it shows a message about 'Restarting System' please click on OK button.
9. After restarting the computer, the tool will display information about the identified threats. Please continue running the tool by following the prompts.
10. When it reaches the final step, the tool will show the scan result containing deleted components of CryptoLocker and other identified virus.

Alternative Removal Procedure for CryptoLocker

Option 1 : Use Windows System Restore to return Windows to previous state

During an infection, CryptoLocker Ransomware drops various files and registry entries. The threat intentionally hides system files by
setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through
System Restore.

To verify if System Restore is active on your computer, please follow the instructions below to access this feature.

Access System Restore on Windows XP, Windows Vista, and Windows 7

a) Go to Start Menu, then under 'Run' or 'Search Program and Files' field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.

Open System Restore on Windows 8

a) Hover your mouse cursor to the lower left corner of the screen and wait for the Start icon to appear.
b) Right-click on the icon and select Run from the list. This will open a Run dialog box.
c) Type rstrui on the 'Open' field and click on OK to initiate the command.

If previous restore point is saved, you may proceed with Windows System Restore. Click here to see the full procedure.

Troubleshooting Guides

Did CryptoLocker blocks your Internet access?

It is usual that rogue program prevents user from downloading removal tools from the Internet. Thus, infected computer may be denied to access the Internet by making changes to computer's proxy, DNS, and Hosts file. To fix Internet connection problem, follow these steps:

1. Download the free program called MiniToolBox. Click the button below to begin. Save the file on your hard drive or preferably in your Desktop.

2. Close all running Internet browser and double-click on the file to run. It opens a window showing a list of features.
3. Make sure that you have a check mark on the following items : Flush DNS, Reset IE Proxy Settings, and Reset FF Proxy Settings.

4. Click on the GO button to start the process. The program automatically closes and displays a text file for your reference.

Ways to Prevent CryptoLocker Infection

Here are some guidelines to help defend your computer from virus attack and malware activities. Being fully protected does not have to be expensive.

Install protection software to block CryptoLocker and other threats

Having an effective anti-malware program is the best way to guard your computer against malware and threats. Although full version of anti-malware will cost some penny to obtain, it is still worthy to buy one. With real-time scan, it will be safer for you to browse the web, download files, and do more things online.

Keep all programs up to date

It is important to download critical update for installed programs. Software updates includes patches for security flaw that may utilize by an attacker to enter the computer. This flaw may be taken advantage by CryptoLocker, viruses, and malware to attack the computer. Crucial programs to watch for updates are MS Windows, MS Office, Adobe Flash, Adobe Acrobat, and Java Runtime.

Activate security features of your Internet browser

SmartScreen Filter, Phishing and Malware Protection, and Block Attack Sites are the respective security features of Internet Explorer, Google Chrome, and Mozilla Firefox. Although, it may not fully guard your computer from online attack, at least it can lessen the risk. Enabling these features also helps to secure your private data and avoid identity theft.

Be a responsible Internet user

Antivirus programs and security features of Internet browser facilitates real-time protection and monitors harmful activities online. However, it tends to malfunction for some reasons. Thus, you do not have to be fully dependent on these tools. It is always best to practice safety measures when using the Internet.

@mikered, I downloaded and followed your instructions but it wouldn’t scan the test folder I had created and I was running the program from the test folder. There didn’t seem to be anywhere to specify which directory to scan either. All the files that have corruption/encryption seem to be doc,docx, xlsx, and a few .jpg’s.. (So I take it from your comment “Note: te94decrypt tool is only for .exe file. It will not work on .RAR files” that the above files aren’t going to be found with it anyway.

No one has really given a solution to recovering the data, they have only given solutions on how to get rid of the virus, which isn’t all that helpful once the damage has already been done.

I work for an IT Dept that was the target and successfully attacked by this Virus. We tried everything to restore data after we removed the Virus. But, in the end, we paid the $100 and currently I am logged into the infected computer and am watching 10’s or thousands of files decrypt before my eyes. I have spoken to some other IT specialists, and we all agree that this is the first legit ransom virus, in where the hacker does what he says and runs the program to give you back exactly what you paid for. Any questions?

Just had a customer get bitten by this. I have found a cryptolocker registry entry that has a list of all the files that have been encrypted and there is also a public key entry. Anyone know if this can be used to unlock these files?

Josh: I DID pay the ransom, a message appeared that I needed to wait up 48 hours but suddenly the window dissapeared and nothing else happened. I was ripped off my 100 bucks and left with a bunch of encrypted files and a huge problem to solve….

We removed the virus via INSET NOD32 on our servers and all workstations at our office… Once we located the ‘problem’ computer, the pop up was there… I’m not sure how to fix your issue… Maybe your countdown ran out of of time. It gave you 60 hours

If anyone has critical problems and is in dire need (Like we were) you can send me a few files and I will run them on our quarantined computer that is still running the decryption program we paid for.. I am going to space out my email address and phone number so the website doesn’t delete my post. 7 7 0 3 66 46 8 4
er vin joshua m @ g mai l . co m

You can txt me and I will get back to you when I’m done with work today, or send me an email and I will also help when I can..

In the end though… I would suggest paying the perp with a Greendot Moneypak pre paid card from Walgreens or CVS and let the program do it’s thing…. It started working at 7:15 PM EST and ended at 4:45 this morning…. Long night we had, but 100% of our files were decrypted and restored.

MLopez, I saw your previous post. 8 files would take 25 seconds to Decrypt… Send them to me and I will return them restored. Of course for free… I don’t want anything from any of you guys except to help the next person when you are ever able.

Hi Josh,
I have a good customer who opened an e-mail thinking it was from company house….and that was it. All his exel and word files are encrypted and believe it or not he is a small business with no backup. I removed the ransomeware but now left with the task of the encrypted files. He has told me he is willing to pay the ransom to get his files back but I think this is a no go as the programme is removed and I feel like I should of just paid straight away.?
Hope you can help.

For the person asking for the registry entry. Open regedit and do a key search on cryptolocker. You will find the entry that contains the list of encrypted files and their path. Also will show an entry for “public key”. I’m still looking for a way to apply the key to the afffected files.

Jesse, actually from everything I’ve researched on this virus, it isn’t the normal ransomware bluff. It isn’t kidding when it says that it encrypts your files, and the encryption it uses is well above common grade easy to break for free encryption.

You will still need a private key I imagine, but it is the same public and private key for all infected machines. Hopefully in the next week it will be sorted out with a tool. Export the registry on infected machines if you are going to redo them.

So if the infection hits a file server,what can be done at this point? It hit my company on our Vice Presidents PC and infected her shared drive on our file server. This guy is a genius. I hope he gets caught.

Virus infected a client’s machine. Most files encrypted. What’s strange is that many files on a shared drive did not get encrypted because the user shut off their PC and disconnected from the network. I had thought after reading several posts that all the encryption occurred before the notification appeared.

Our machine has been cleaned (system restore, malwarebytes) but the remnant of the virus (registry keys with file locations) are still on the box. Is there a way we might re-infect the PC safely so that we can pay the ransom and get the files decrypted? I know many are mentioning the servers on the Internet might be down…not sure if this is true or not – and don’t want to double-encrypt our files.

I had the same situation on one of my client workstations. If you have windows 7 or 8 and business version or higher, you can hopefully exploit the volume shadow service that runs by default on those pc’s. Download the free utility Shadow Explorer at shadowexplorer.com and export your lost files from a timestamp that’s before the encryption. This worked for me.

has anyone found a tool to decrypt your files once the virus is removed.. Is reinfecting your pc the ultimate solution at this point.. payinr a ransom after all.. I suure do need my files.. keepmeintheloop

i have same thing in my computer but immidately i run my windows update restore now i don’t see that message but how i know my file infected with cryptolocker still my PDF and excel file not open but there i snoc change in that extension plese help me.

This afternoon, one of our pc’s is infected with cryptolocker malware. Yes, they are asking for $300. The PC user saved files (doc, xls, pdf) on the network. I am not able to open the files that are saved on the server. I am not sure if the server is fully infected or just the files.

I did look at PhotoRec – it is more of a software to restore deleted files.

I would like to pay $300 but do see lot of comments where the money was wasted and people are left WITHOUT any solution.

Nigel H Crosby : Did PhotoRec do a good job?
We have the whole Cloud infected ((. The virus is removed, but the files are all encrypted, so no idea now what to do. We are ready to pay, but the screen doesn’t appear any more !
Is there any account/email address to contact to pay this ransom??

OK my Post above ; It does not work ; the files are still damaged ; I checked the file size and the CryptoLocker adds to the file size so a *.doc at 33.5Kb becomes 33.7Kb ; I’m send these files to Panda Support so they can have a look and see if there is any way on unlocking them but I don’t hold much hope with an asymmetric or public key algorithm (PKA), a pair of keys is used. One of the keys, the private key, is kept secret and not shared with anyone. The other key, the public key, is not secret and can be shared with anyone. When data is encrypted by one of the keys, it can only be decrypted and recovered by using the other key. The two keys are mathematically related, but it is virtually impossible to derive the private key from the public key. The RSA algorithm is an example of a public key algorithm.

Public key algorithms are slower than symmetric key algorithms. Applications typically use public key algorithms to encrypt symmetric keys (for key distribution) and to encrypt hashes (in digital signature generation). So as you can see this is no normal hacking ; I found that they take a Prime number Multiply it with another Prime Number that gives you the RSA Key and then I think it reversed for the Private Key (that a simple explanation) but there guy are far far cleaver than me ; so Just install the Backup’s

Sorry cannot help further ; will get back to you when I hear from Panda Support.

We got popped with it today… I have entered a $300 moneypak code to get the files decrypted… praying it works… the infected machine is Windows7 pro (on a domain), but all important associated files on a mapped network drive to a 2003 server got encrypted, so the shadowcopy recovery option on the infected machine is not an option. I am waiting for the “payments are processed manually, therefore, the expectation of activation may take up to 48 hours.”
Now… the suspense is that the win7 machine has to be online with my server and the mapped drives with the encrypted files (which is not infected as of yet… it only has the encrypted files stored on it)!!! It is exposed to anything this trojan may be doing/getting/sending in the background until the decryption starts!!

Files decryption… Your payment information is activated! Search and recovery of encrypted files! This software will be deleted after files decryption, make sure that all important files are decrypted!

So…………. the decryption is verified to be working… should be done in a matter of about 30 mintues… THANK GOD! I will report this to the FBI, since they are apparently working the issue with these morons! $300 lesson-learned for me!

I have a found a painful yet easy wy to get back files.
Open your excels, words and presentation online on google drive and then save again as ms office files. I have only a few files on desktop affected. It is easy but for people who have thousands of files, it is excruciating.

I have got a customer infected with this s**t and he payed 2 bitcoins to get rid of.
Decryption took more than 24 hours but then I noticed infection was still on the computer (but on another user of the Win File Server).
I am using right now the Kaspersky solution described above to remove the ransomware since I fear that it could restart again if you do not remove from the server.
I really wish someone will be able to capture these criminals and torture them for at least the hours they have asked to all the people infected.
I’ll let you know if this removal will succeed… cross your fingers and pray for me.
Ciao
RP

Can you provide any more info on exactly what you did? I have tried this but cant get it to work.
It tells me I am trying to load the wrong format type.
I tried to convert when I imported to google drive, and i also tried leaving it unconverted.
No luck.
thank you

PS the information at the top of this article is right now the WORST possible thing you could do – removing the virus after its encrypted files leaves you with encrypted files that cant be decrypted.

There WILL NOT be a decryption tool – it is not possible.

I am also interested in hearing from anyone who has successfully managed to reinfect a machine in order to get the ransom prompt again. This appears to be the best chance for those who have encrypted data and have already removed the virus.

Got hit with this on Wednesday. Removed it and files are still encrypted. I would also like to know of anyone using system restore to get reinfected and and then paying the ransome to decrypt the files.
Can someone share their experience?

The Boss infected his computer Thursday afternoon and it had three days to percolate. Files on his box were not backed up. What I’ve done is to rebuild his computer with a new drive. I then took the old drive and used Norton Ghost to clone it to another drive of the same make and size to examine. This way, the original drive is effectively untouched with all the bad and infected files as they were intact. That way, if a solution to decrypting the files develops, I can save the files.

Also, we run Windows Server 2008 R2 and the server’s shared files got encrypted on it. Fortunately, I had backups, but for some reason if the encrypted files were simply overwritten, the encryption remained. I had to delete the infected files from the server, then recover my backup and then the files worked once more. I do not know if this is due to how Server 2008 write files or what, but after a day of frustration, this was what was needed to be done in order to put the back-up files onto the server.

about precisesecurity

A trusted and "safe to browse" computer security web site. We provide free and effective solution to remove Trojans, viruses, malware and similar threats.

Useful Applications

Portable Antivirus
Lists of portable virus scanner that works even without the commercial version.